Civil liberties advocates have asked the US Federal Trade Commission to take action against the nation's four major wireless carriers for selling millions of Android smartphones that never, or only rarely, receive updates to patch dangerous security vulnerabilities.

The request for investigation and complaint for injunctive relief was filed Tuesday by the American Civil Liberties Union against AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA. The majority of phones that the carriers sell run Google's Android operating system and rarely receive software updates, the 16-page document stated. It went on to allege that the practice violates provisions of the Federal Trade Commission Act barring deceptive and unfair business practices, since the carriers don't disclose that the failure to provide updates in a timely manner puts customers at greater risk of hacking attacks. Among other things, the filing seeks an order allowing customers to terminate contracts that cover a phone that's no longer eligible to receive updates.

"All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices," Christopher Soghoian, principal technologist and senior policy analyst for the ACLU, wrote in the document. "The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials."

As Ars Associate Writer Casey Johnston reported in December, owners of Android handsets routinely experience lengthy waits to receive Android updates, sometimes as long as 15 months after the introduction of a particular model. Johnston's in-depth survey found that all four of the carriers sold "orphaned" devices, meaning they didn't receive a single security or feature update after they came on the market. The ACLU brief cited the Ars article and went on to say carriers should be required to disclose the security risks that arise when phones don't run up-to-date apps and OS software.

"The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch," the complaint stated. "The practices of the major wireless carriers alleged herein as they relate to the poor security of the smartphones sold to consumers constitute deceptive and unfair business practices subject to review by the FTC under section 5 of The Federal Trade Commission Act."

Some of named carriers defended themselves.

"We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers," a statement issued by Verizon said. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience."

A spokesman from Sprint wrote: "Sprint follows industry-standard best practices designed to protect its customers."

Officials of AT&T declined to comment. T-Mobile representatives didn't respond to a message seeking comment for this article.

The FTC petition highlights one of the chief disadvantages of the Android OS, particularly when compared with Apple's iOS platform. Once Google releases an update that fixes critical security updates or adds new features, the code is usually then made available to individual phone manufacturers so they can customize it for each handset model. That modified code is then forwarded to carriers so they can optimize it for their particular wireless network. Frequently, the process results in long delays between the time an Android update is first released by Google and when it's available for a given handset. In many cases, carriers simply stop offering updates for a model. The original Motorola Droid sold by Verizon, for instance, never progressed beyond version 2.2.3 of Android, a practice that exposed customers who relied on the device to a variety of publicly known vulnerabilities that attackers can exploit to take full control of the handset.

Privilege escalation

Security experts said the proliferation of unpatched handsets opens millions of owners to hacks that wouldn't be possible if their smartphones were running more up-to-date versions of Android. The most common types of attacks on the mobile OS are launched by malicious apps exploiting vulnerabilities that escalate privileges, allowing the apps to access address books or other sensitive resources that by design are supposed to be off-limits.

"Privilege escalation vulnerabilities are commonly exploited by malicious Android apps, so that attackers can pop out of the Android 'sandbox' and gain full control over the device," Jon Oberheide, a researcher specializing in mobile security and the CTO of Duo Security, told Ars. "Since these patches are often rolled out months and years after the vulnerabilities are published, attackers can simply roll off-the-shelf exploits into their malicious apps. It doesn't require any significant level of expertise or sophistication to incorporate such exploits."

Sean Sullivan, a researcher and security advisor at antivirus provider F-Secure, said the most recent two versions of Android provide a variety of user-interface protections that are aimed at curbing some of the most common attacks targeting the mobile OS. Android 4.2, for instance, requires apps to more explicitly seek permission before being able to send text messages, a measure that thwarts malware designed to surreptitiously rack up charges to pricey services.

"Malware needs a stable end-point install base more than does legitimate software services," Sullivan said. "This fragmented market of Android's simply lengthens the time which it takes to wipe the slate clean."

According to Google data, only two percent of Android devices use the latest version of the mobile OS. More than 40 percent use version 3.2 or earlier. Version 3.2, aka Honeycomb, was released in July of 2011 and contains critical security bugs that have been fixed in later updates. An earlier, but still recent version, also curbs abusive apps that send notifications containing spam.

People in the US who want an Android phone that can receive updates promptly must choose a Google-managed device such as the Nexus 4. Security updates for these handsets come directly from Google, rather from wireless carriers.

The ACLU filing is a request that the FTC investigate the carriers along with factual and legal support for the argument that the four carriers aren't complying with US law. The commission isn't required to take any action in response. In the event FTC staff members launch an investigation, it could be months or even years for it to become public.

109 Reader Comments

When "industry standard practice" is lagging an average of more than a year behind on critical updates and dropping support on products that are still actively being sold maybe that's EXACTLY why they're being sued.

"We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers," a statement issued by Verizon said.

Well, they're certainly known for taking their time doing testing. What I have not seen is any evidence that this extensive testing catches more bugs than their competitors. I have seen lots of evidence that they deliberately cripple features, especially those that compete with services they charge for (e.g. GPS).

This lawsuit shows a fundamental lack of understanding with how the mobile ecosystem works. Google DOES provide security updates, which would be available to EVERY SINGLE ANDROID DEVICE SOLD if the manufacturers didn't skin the damn phones with their own crapware.

People who aren't familiar with Android development say this a lot but its actually not that true. Merging security updates into older software is hard because of how Android software versioning works, not because someone changed your launcher. Even porting between stock devices can be nontrivial.

That said, a lot of things aren't that hard and its ridiculous that they don't get merged. Its those I blame the carriers for.

Edit: Well maybe its a little true. Samsung, etc don't make it easy to keep their code in sync with Google, but Google practically encourages them not to by not officially supporting more than one or two hardware platforms per generation.

"We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers," a statement issued by Verizon said.

Well, they're certainly known for taking their time doing testing. What I have not seen is any evidence that this extensive testing catches more bugs than their competitors. I have seen lots of evidence that they deliberately cripple features, especially those that compete with services they charge for (e.g. GPS).

Considering the state that their homegrown bloatware ships in, I'd say that rigorous testing is more likely to cause problems than to correct them.

This lawsuit shows a fundamental lack of understanding with how the mobile ecosystem works. Google DOES provide security updates, which would be available to EVERY SINGLE ANDROID DEVICE SOLD if the manufacturers didn't skin the damn phones with their own crapware.

People who aren't familiar with Android development say this a lot but its actually not true at all. Merging security updates into older software is hard because of how Android software versioning works, not because someone changed your launcher. Even porting between stock devices can be nontrivial.

That said, a lot of things aren't that hard and its ridiculous that they don't get merged. Its those I blame the carriers for.

Can you elaborate? Because if I'm wrong I would really like to better understand this. Why would Google "merge security updates into older hardware" when the devices could just be upgraded to the new software, and hence receive the security updates?

Can you elaborate? Because if I'm wrong I would really like to better understand this. Why would Google "merge security updates into older hardware" when the devices could just be upgraded to the new software, and hence receive the security updates?

I don't know the details, but if Google finds (and fixes) an issue in Android today, I imagine they patch it at HEAD, which is 4.1.something or 4.2.something; but if your device is running Android 2.3, that doesn't really help, someone needs to backport the fix to 2.3. You could ask why not upgrade to 4.2.something instead, and that gets you into the stable releases vs rolling release debate; but I can certainly understand why a phone manufacturer (or carrier) would shy away from providing major release updates.

When "industry standard practice" is lagging an average of more than a year behind on critical updates and dropping support on products that are still actively being sold maybe that's EXACTLY why they're being sued.

Hopefully this means more frequent updates and support for a longer time after the device is sold. Windows XP only just stopped receiving security updates, why shouldn't phones be the same?

This lawsuit shows a fundamental lack of understanding with how the mobile ecosystem works. Google DOES provide security updates, which would be available to EVERY SINGLE ANDROID DEVICE SOLD if the manufacturers didn't skin the damn phones with their own crapware.

People who aren't familiar with Android development say this a lot but its actually not true at all. Merging security updates into older software is hard because of how Android software versioning works, not because someone changed your launcher. Even porting between stock devices can be nontrivial.

That said, a lot of things aren't that hard and its ridiculous that they don't get merged. Its those I blame the carriers for.

Can you elaborate? Because if I'm wrong I would really like to better understand this. Why would Google "merge security updates into older hardware" when the devices could just be upgraded to the new software, and hence receive the security updates?

I'm no expert on this, but I think what he's talking about is that, like many embedded OS's, android is essentially compiled in a large block for a particular piece of hardware with drivers etc. all included in the single OS image. It's not at all like windows where you can update your graphics driver completely separately from the OS. This modularity involves some costly overhead and phone hardware has no resources to spare. So updating drivers, OS components etc. essentially requires recompiling the entire OS image with the new components included and writing it over the old image. Google updates the OS, but they don't have drivers for every piece of hardware so it's up to OEM's to roll their drivers into what Google releases and recompile it for their specific hardware before sending it out to user devices. I'm pretty sure that even minor updates, though they may involve a fairly small download, will still need to recompile the entire OS image and thus there's no way Google could unilaterally throw hotfixes out to users unless they were for Google apps which update through the store.

Can you elaborate? Because if I'm wrong I would really like to better understand this. Why would Google "merge security updates into older hardware" when the devices could just be upgraded to the new software, and hence receive the security updates?

I don't know the details, but if Google finds (and fixes) an issue in Android today, I imagine they patch it at HEAD, which is 4.1.something or 4.2.something; but if your device is running Android 2.3, that doesn't really help, someone needs to backport the fix to 2.3. You could ask why not upgrade to 4.2.something instead, and that gets you into the stable releases vs rolling release debate; but I can certainly understand why a phone manufacturer (or carrier) would shy away from providing major release updates.

OK, that makes sense. But it doesn't explain why the carriers are at fault for not providing security updates.

From your explanation, this seems to be more of an Android issue than anything else. iOS and WP8 devices keep receiving security updates, at least for several years. If Google isn't providing security updates to reasonably new phones, than I cannot understand why AT&T and Verizon should be held accountable.

Again, if this is incorrect, please explain. This is something worth understanding, and if I'm wrong I would like to know why. But so far as I can tell, it's Google and the hardware manufacturers at fault here - not the carriers.

This lawsuit shows a fundamental lack of understanding with how the mobile ecosystem works. Google DOES provide security updates, which would be available to EVERY SINGLE ANDROID DEVICE SOLD if the manufacturers didn't skin the damn phones with their own crapware.

People who aren't familiar with Android development say this a lot but its actually not true at all. Merging security updates into older software is hard because of how Android software versioning works, not because someone changed your launcher. Even porting between stock devices can be nontrivial.

That said, a lot of things aren't that hard and its ridiculous that they don't get merged. Its those I blame the carriers for.

Can you elaborate? Because if I'm wrong I would really like to better understand this. Why would Google "merge security updates into older hardware" when the devices could just be upgraded to the new software, and hence receive the security updates?

I'm no expert on this, but I think what he's talking about is that, like many embedded OS's, android is essentially compiled in a large block for a particular piece of hardware with drivers etc. all included in the single OS image. It's not at all like windows where you can update your graphics driver completely separately from the OS. This modularity involves some costly overhead and phone hardware has no resources to spare. So updating drivers, OS components etc. essentially requires recompiling the entire OS image with the new components included and writing it over the old image. Google updates the OS, but they don't have drivers for every piece of hardware so it's up to OEM's to roll their drivers into what Google releases and recompile it for their specific hardware before sending it out to user devices. I'm pretty sure that even minor updates, though they may involve a fairly small download, will still need to recompile the entire OS image and thus there's no way Google could unilaterally throw hotfixes out to users unless they were for Google apps which update through the store.

OK, that makes sense. But again, how is what you just explained the fault of the carriers? It seems that is a Google/Samsung problem.

Can you elaborate? Because if I'm wrong I would really like to better understand this. Why would Google "merge security updates into older hardware" when the devices could just be upgraded to the new software, and hence receive the security updates?

I don't know the details, but if Google finds (and fixes) an issue in Android today, I imagine they patch it at HEAD, which is 4.1.something or 4.2.something; but if your device is running Android 2.3, that doesn't really help, someone needs to backport the fix to 2.3. You could ask why not upgrade to 4.2.something instead, and that gets you into the stable releases vs rolling release debate; but I can certainly understand why a phone manufacturer (or carrier) would shy away from providing major release updates.

OK, that makes sense. But it doesn't explain why the carriers are at fault for not providing security updates.

From your explanation, this seems to be more of an Android issue than anything else. iOS and WP8 devices keep receiving security updates, at least for several years. If Google isn't providing security updates to reasonably new phones, than I cannot understand why AT&T and Verizon should be held accountable.

Again, if this is incorrect, please explain. This is something worth understanding, and if I'm wrong I would like to know why. But so far as I can tell, it's Google and the hardware manufacturers at fault here - not the carriers.

The carriers and the OEM's work together to accomplish this great feat of user hostility. In order to get updates, the OEM must invest money in actually creating the update from Google's source and they don't always want to do this because they already have your money (HTC is the king of this brand of crap), and second the carrier must approve the update that the OEM gives them before sending it out to users which they don't really want to do because they want your phone to suck and feel old and crappy so you buy a new one and renew your contract (Verizon is the king of this brand of crap). So really it's both. HTC phones on Verizon have the absolute shittiest update record because of this and Samsung phones on T-mobile generally have the best in my opinion, aside from Nexus phones.

Can you elaborate? Because if I'm wrong I would really like to better understand this. Why would Google "merge security updates into older hardware" when the devices could just be upgraded to the new software, and hence receive the security updates?

I don't know the details, but if Google finds (and fixes) an issue in Android today, I imagine they patch it at HEAD, which is 4.1.something or 4.2.something; but if your device is running Android 2.3, that doesn't really help, someone needs to backport the fix to 2.3. You could ask why not upgrade to 4.2.something instead, and that gets you into the stable releases vs rolling release debate; but I can certainly understand why a phone manufacturer (or carrier) would shy away from providing major release updates.

OK, that makes sense. But it doesn't explain why the carriers are at fault for not providing security updates.

From your explanation, this seems to be more of an Android issue than anything else. iOS and WP8 devices keep receiving security updates, at least for several years. If Google isn't providing security updates to reasonably new phones, than I cannot understand why AT&T and Verizon should be held accountable.

Again, if this is incorrect, please explain. This is something worth understanding, and if I'm wrong I would like to know why. But so far as I can tell, it's Google and the hardware manufacturers at fault here - not the carriers.

The carriers and the OEM's work together to accomplish this great feat of user hostility. In order to get updates, the OEM must invest money in actually creating the update from Google's source and they don't always want to do this because they already have your money (HTC is the king of this brand of crap), and second the carrier must approve the update that the OEM gives them before sending it out to users which they don't really want to do because they want your phone to suck and feel old and crappy so you buy a new one and renew your contract (Verizon is the king of this brand of crap). So really it's both. HTC phones on Verizon have the absolute shittiest update record because of this and Samsung phones on T-mobile generally have the best in my opinion, aside from Nexus phones.

Are there instances where the carriers have BLOCKED security updates? If so, I will concede my point and agree this isn't a frivolous lawsuit.

But I have already received two updates for my WP8 device, and they became immediately after Nokia released them. The carriers certainly didn't block those updates. The same is true for the iPhone: Apple releases an update, and the carrier doesn't play a role in blocking it.

So if the carriers are blocking Android updates, that policy is exclusive to Android.

Are there instances where the carriers have BLOCKED security updates? If so, I will concede my point and agree this isn't a frivolous lawsuit.

But I have already received two updates for my WP8 device, and they became immediately after Nokia released them. The carriers certainly didn't block those updates. The same is true for the iPhone: Apple releases an update, and the carrier doesn't play a role in blocking it.

So if the carriers are blocking Android updates, that policy is exclusive to Android.

I'm not aware of any instances on record where (let's just say Verizon because they are easily identifiable as the worst in this regard) Verizon out right blocked an update. But they have most definitely held up updates in their "lengthy and totally customer centered" review process for retardedly long times before. And that's only what we know. I doubt that any OEM would want to admit publicly that Verizon refused their well meaning update and they just said OK (which is generally exactly what they do). Apple specifically mandates direct control over updates in their contracts with carriers and I believe MS does as well to some extent with their windows phones. Since Google releases Android open source, they can't do that. OEMs are perfectly happy to sit back and let Verizon screw their customers with ridiculously delayed updates and Google's leverage is already gone. Verizon already won't allow Nexus phones anymore because they have no reason to give in to Google on the control of updates. An army of OEMs is already lined up to provide android phones to Verizon without making a fuss over updates so Google's possible threat of taking their popular Android ball and going home is empty. Verizon can get android without Google's permission and OEMs don't care enough about android's public image to argue when Verizon says it needs to "review" and update for an entire year.

Are there instances where the carriers have BLOCKED security updates? If so, I will concede my point and agree this isn't a frivolous lawsuit.

But I have already received two updates for my WP8 device, and they became immediately after Nokia released them. The carriers certainly didn't block those updates. The same is true for the iPhone: Apple releases an update, and the carrier doesn't play a role in blocking it.

So if the carriers are blocking Android updates, that policy is exclusive to Android.

Carriers blocked (or at least delayed to the point that a release was skipped) WP7 updates too, so it's not exclusively Android. Apple has really set a good example here of the device manufacturer having full control of the update process, but other manufacturers may not have enough market power to push that through. I also agree that Google hasn't done a great job of making devices upgradable, although from having pushed forced upgrades to a WP7 device, that's not exactly easily manageable either, but I think Microsoft spends more resources working with manufacturers on keeping devices consistent (it helps that there is much less diversity).

I'm not really sure I'd sue carriers instead of the manufacturers about this either, but I'm guessing it's because the carriers have a clear nexus in the US; carriers probably put update approval requirements in the specs with the manufacturers; and the user is buying the device from the carrier, so there's some responsibility not to sell an unsafe product, especially for devices that have been abandoned on the software side before they are sold for the first time.

This lawsuit shows a fundamental lack of understanding with how the mobile ecosystem works. Google DOES provide security updates, which would be available to EVERY SINGLE ANDROID DEVICE SOLD if the manufacturers didn't skin the damn phones with their own crapware. It's companies like Samsung and HTC and Sony that are the problem here.

I can't believe I'm standing up for wireless providers. But they're not impeding anything when the updates aren't available due to worthless add-ons. Look no further than HTC TouchWiz and Samsung's Sense (or whatever it's called) for the explanation for why these devices aren't receiving the security updates Google is providing.

If the phones ran vanilla versions of Android, and AT&T and Verizon were blocking those phones from receiving updates, then they would be culpable.

Then why is Verizon's Galaxy Nexus so delayed in getting updates compared to Galaxy Nexus's from other carriers?

Are there instances where the carriers have BLOCKED security updates? If so, I will concede my point and agree this isn't a frivolous lawsuit.

But I have already received two updates for my WP8 device, and they became immediately after Nokia released them. The carriers certainly didn't block those updates. The same is true for the iPhone: Apple releases an update, and the carrier doesn't play a role in blocking it.

So if the carriers are blocking Android updates, that policy is exclusive to Android.

I'm not aware of any instances on record where (let's just say Verizon because they are easily identifiable as the worst in this regard) Verizon out right blocked an update. But they have most definitely held up updates in their "lengthy and totally customer centered" review process for retardedly long times before. And that's only what we know. I doubt that any OEM would want to admit publicly that Verizon refused their well meaning update and they just said OK (which is generally exactly what they do). Apple specifically mandates direct control over updates in their contracts with carriers and I believe MS does as well to some extent with their windows phones. Since Google releases Android open source, they can't do that. OEMs are perfectly happy to sit back and let Verizon screw their customers with ridiculously delayed updates and Google's leverage is already gone. Verizon already won't allow Nexus phones anymore because they have no reason to give in to Google on the control of updates. An army of OEMs is already lined up to provide android phones to Verizon without making a fuss over updates so Google's possible threat of taking their popular Android ball and going home is empty. Verizon can get android without Google's permission and OEMs don't care enough about android's public image to argue when Verizon says it needs to "review" and update for an entire year.

I don't mean to sound rude, but you just made a successful case for the defense of the carriers: "no evidence my clients are blocking anything, Android is just inherently less secure than the competition. But if Android is bad, that's not Verizon's fault".

It sounds to me like Google has done a supremely poor job designing their platform for long term security success. But again, that's not the carrier's fault - that's Google's fault. And the fault of consumers who don't know better.

My point isn't that carriers don't block updates, just that we probably wouldn't hear about it if they did and we have definitely heard about them delaying them so long that they aren't relevant anymore, which is just as bad as blocking them. Carriers have an EXTREMELY large amount of leverage with low margin OEMs. Think about your average TV ad from Verizon or AT&T, it's occasionally just about their coverage or data speeds. More often it's about a particular phone that you can only get from them. Their store staff aggressively push certain phones and not others. None of this is by accident and low margin OEMs can't afford to have Verizon constantly pushing customers toward the other OEM's phones. Basically what I'm saying is that Verizon gets exactly what they want out of OEMs. If Verizon wanted more updates, it would get them. If you don't think carriers are the problem then just look at which ones aren't allowing one of the most well regarded android phones of last year (Nexus 4). There's a reason LG never made a Verizon compatible Nexus 4 and it has nothing to do with LG being lazy about updates. Verizon didn't want it and likely wouldn't allow them on their network even if LG made them compatible and cusomters bought them unlocked.

Are there instances where the carriers have BLOCKED security updates? If so, I will concede my point and agree this isn't a frivolous lawsuit.

But I have already received two updates for my WP8 device, and they became immediately after Nokia released them. The carriers certainly didn't block those updates. The same is true for the iPhone: Apple releases an update, and the carrier doesn't play a role in blocking it.

So if the carriers are blocking Android updates, that policy is exclusive to Android.

I'm not aware of any instances on record where (let's just say Verizon because they are easily identifiable as the worst in this regard) Verizon out right blocked an update. But they have most definitely held up updates in their "lengthy and totally customer centered" review process for retardedly long times before. And that's only what we know. I doubt that any OEM would want to admit publicly that Verizon refused their well meaning update and they just said OK (which is generally exactly what they do). Apple specifically mandates direct control over updates in their contracts with carriers and I believe MS does as well to some extent with their windows phones. Since Google releases Android open source, they can't do that. OEMs are perfectly happy to sit back and let Verizon screw their customers with ridiculously delayed updates and Google's leverage is already gone. Verizon already won't allow Nexus phones anymore because they have no reason to give in to Google on the control of updates. An army of OEMs is already lined up to provide android phones to Verizon without making a fuss over updates so Google's possible threat of taking their popular Android ball and going home is empty. Verizon can get android without Google's permission and OEMs don't care enough about android's public image to argue when Verizon says it needs to "review" and update for an entire year.

I don't mean to sound rude, but you just made a successful case for the defense of the carriers: "no evidence my clients are blocking anything, Android is just inherently less secure than the competition. But if Android is bad, that's not Verizon's fault".

It sounds to me like Google has done a supremely poor job designing their platform for long term security success. But again, that's not the carrier's fault - that's Google's fault. And the fault of consumers who don't know better.

My point isn't that carriers don't block updates, just that we probably wouldn't hear about it if they did and we have definitely heard about them delaying them so long that they aren't relevant anymore, which is just as bad as blocking them. Carriers have an EXTREMELY large amount of leverage with low margin OEMs. Think about your average TV ad from Verizon or AT&T, it's occasionally just about their coverage or data speeds. More often it's about a particular phone that you can only get from them. Their store staff aggressively push certain phones and not others. None of this is by accident and low margin OEMs can't afford to have Verizon constantly pushing customers toward the other OEM's phones. Basically what I'm saying is that Verizon gets exactly what they want out of OEMs. If Verizon wanted more updates, it would get them. If you don't think carriers are the problem then just look at which ones aren't allowing one of the most well regarded android phones of last year (Nexus 4). There's a reason LG never made a Verizon compatible Nexus 4 and it has nothing to do with LG being lazy about updates. Verizon didn't want it and likely wouldn't allow them on their network even if LG made them compatible and cusomters bought them unlocked.

Your point invalidates the lawsuit, though. It sounds like you want the lawsuit to go through to legislate a change in how carriers do business, which is outside the scope of our discussion.

From a technical perspective, unless someone can provide an example of a carrier blocking a security update, the lawsuit won't work. If the OEMs and Google aren't providing security updates, the carriers cannot block them. Regardless of why this behavior is happening, it's true: you can't block something that doesn't exist. And the carriers can point to both Apple and Microsoft for examples of how they're not impeding anything.

THIS. A thousand times this. Last company I consulted for had to recall over 700 Android handsets because of audit compliance and the inability of Android to meet that compliance, let alone be directly and centrally managed without 3rd party servers and massive expense. This was a major compnay that ran primarily on linux and open source software with little to no major brand deployments and only a few MS servers out of several hundred, and a seething internal hatred for Apple. They has spent a ton moving off Blackberry to go to android on the promise from several vendors and Google that Android would meet FIPS and SOx compliance. Turns out, nope, only a single, customized, model met that certification 2 years later.

What did they do? They deployed Apple. A single Mac Mini, a few edits to their Exchange server config (one of the few MS servers they bothered to have, because frankly, nothing in Linux does mail and contacts even close to what Exchange does), and bam, automated profile deployment and central security for iOS with no 3rd party tools or per-phone fees required.

Android is just too big, too poorly planned out, and too difficult to secure. It was not designed to be secure, it was designed to be a feature-phone OS, it;s current UI and app model was tacked on at the last minute, never part of the original design, even touch itself was never part of the design. Having multi-point validations through manufacturers and carriers, and no standard model for package deployment or dependency management, and no modularization of code at all, in order to roll out patches leading to 6-12 month release cycles, inability to secure removable storage, requirements for 3rd party apps for mail security and remote management, and no central leadership or standards from google leading many devives to not even be fully compatible withj corporate mail (many can't do calendar integration, some could not access the corporate directory, it was a mess), the open source leader lost, bad. For android to hold on in business and government, it needs a top down, compatibility breaking redesign. If this case moves forward, and it very well might if the FTC can find any cause that carriers are explicitly hiding this information or delaying/not patching purely based on profitabiltiy not security and user protection, then they'll drop a hammer on carriers hard. If that happens, you'll see the fastest exedous in technological history as carriers themselves abandon android faster than users to protect themselves, and android will die in the US overnight, if the EU doesn't take a queue and act faster (and likely they will too).

Are there instances where the carriers have BLOCKED security updates? If so, I will concede my point and agree this isn't a frivolous lawsuit.

But I have already received two updates for my WP8 device, and they became immediately after Nokia released them. The carriers certainly didn't block those updates. The same is true for the iPhone: Apple releases an update, and the carrier doesn't play a role in blocking it.

So if the carriers are blocking Android updates, that policy is exclusive to Android.

I'm not aware of any instances on record where (let's just say Verizon because they are easily identifiable as the worst in this regard) Verizon out right blocked an update. But they have most definitely held up updates in their "lengthy and totally customer centered" review process for retardedly long times before. And that's only what we know. I doubt that any OEM would want to admit publicly that Verizon refused their well meaning update and they just said OK (which is generally exactly what they do). Apple specifically mandates direct control over updates in their contracts with carriers and I believe MS does as well to some extent with their windows phones. Since Google releases Android open source, they can't do that. OEMs are perfectly happy to sit back and let Verizon screw their customers with ridiculously delayed updates and Google's leverage is already gone. Verizon already won't allow Nexus phones anymore because they have no reason to give in to Google on the control of updates. An army of OEMs is already lined up to provide android phones to Verizon without making a fuss over updates so Google's possible threat of taking their popular Android ball and going home is empty. Verizon can get android without Google's permission and OEMs don't care enough about android's public image to argue when Verizon says it needs to "review" and update for an entire year.

I don't mean to sound rude, but you just made a successful case for the defense of the carriers: "no evidence my clients are blocking anything, Android is just inherently less secure than the competition. But if Android is bad, that's not Verizon's fault".

It sounds to me like Google has done a supremely poor job designing their platform for long term security success. But again, that's not the carrier's fault - that's Google's fault. And the fault of consumers who don't know better.

My point isn't that carriers don't block updates, just that we probably wouldn't hear about it if they did and we have definitely heard about them delaying them so long that they aren't relevant anymore, which is just as bad as blocking them. Carriers have an EXTREMELY large amount of leverage with low margin OEMs. Think about your average TV ad from Verizon or AT&T, it's occasionally just about their coverage or data speeds. More often it's about a particular phone that you can only get from them. Their store staff aggressively push certain phones and not others. None of this is by accident and low margin OEMs can't afford to have Verizon constantly pushing customers toward the other OEM's phones. Basically what I'm saying is that Verizon gets exactly what they want out of OEMs. If Verizon wanted more updates, it would get them. If you don't think carriers are the problem then just look at which ones aren't allowing one of the most well regarded android phones of last year (Nexus 4). There's a reason LG never made a Verizon compatible Nexus 4 and it has nothing to do with LG being lazy about updates. Verizon didn't want it and likely wouldn't allow them on their network even if LG made them compatible and cusomters bought them unlocked.

Your point invalidates the lawsuit, though. It sounds like you want the lawsuit to go through to legislate a change in how carriers do business, which is outside the scope of our discussion.

From a technical perspective, unless someone can provide an example of a carrier blocking a security update, the lawsuit won't work. If the OEMs and Google aren't providing security updates, the carriers cannot block them. Regardless of why this behavior is happening, it's true: you can't block something that doesn't exist. And the carriers can point to both Apple and Microsoft for examples of how they're not impeding anything.

carriers blocking security updates? it's happened DOZENS of times. Carriers willingly suspending all patches on phones even in cases where the patch for the SAME OS (let alone an upgraded one), is available from google, and phones are still covered under original manufacturer warranty let alone extended warranties, where critical vulnerabilities allowing remote execution of complete device owning code was demonstrated and circulating in the wild. carriers have willingly stopped (or never oncve) updated OSes on devices even when code capable of closing that hole was released 12 full MONTHS before the new model ever landed on the market in the first place and the patch was never included when it readily could have been on day one.

T-Mobile representatives didn't respond to a message seeking comment for this article.

That pretty much sums up T-Mobile's position.

I do find the slow pace of Android updates maddening. I see complaints about the fragmentation of Android, and wonder what that means exactly, when I rarely see anyone using a version newer than 2.3 -- which was released in 2010.

Your point invalidates the lawsuit, though. It sounds like you want the lawsuit to go through to legislate a change in how carriers do business, which is outside the scope of our discussion.

From a technical perspective, unless someone can provide an example of a carrier blocking a security update, the lawsuit won't work. If the OEMs and Google aren't providing security updates, the carriers cannot block them. Regardless of why this behavior is happening, it's true: you can't block something that doesn't exist. And the carriers can point to both Apple and Microsoft for examples of how they're not impeding anything.

That's not really the point of the lawsuit though. The lawsuit is more about false advertising. Verizon doesn't have to demand more updates from OEMs or reduce their update review delays. The lawsuit simply alleges that they should warn customers about phones which won't get any updates (of which there are plenty). Or as was also suggested in the lawsuit, let them out of contract when this situation occurs. They should be forced to admit that they sell phones knowing that they will never be upgraded and become a huge security risk to their users. Simultaneously their ads encourage users to do things with their phone that make these security risks even more problematic like use banking apps, view work documents, and take large amounts of personal photos and video. I don't particularly think this lawsuit is going anywhere. But between 1. knowing that phones won't be updated and not saying anything 2. actively supressing security updates 3. encouraging uses of their phones that are problematic when done on an insecure phone, there's definitely some dirty laundry that needs to be hung out to dry even if the suit fails.

I like this discussion and wanted to add another point that seems to have gotten no attention from the participants. (Edit: as I was finishing my typing, @thebonafortuna beat me to my post.)

In this ecosystem, the carriers are in a unique position of actually facing the end-users (they make it impossible for the OEM's to deliver patches because of the network certification practices). Therefore, it seems to me that they are the only ones who have an obligation to make sure that they are selling secure devices. Moreover, if it is discovered that a new vulnerability has been identified, they should be the first ones to take public steps to address the issue (make announcements to warn customers; stop selling the device in extreme cases).

So, it seems to me that at least this part of the accusation is reasonable: carriers don't disclose vulnerabilities to customers and they don't make sufficient efforts to make patches available. If there are as many cases of deliberate heal-dragging, as someone had suggested, that is even worse.

carriers blocking security updates? it's happened DOZENS of times. Carriers willingly suspending all patches on phones even in cases where the patch for the SAME OS (let alone an upgraded one), is available from google, and phones are still covered under original manufacturer warranty let alone extended warranties, where critical vulnerabilities allowing remote execution of complete device owning code was demonstrated and circulating in the wild. carriers have willingly stopped (or never oncve) updated OSes on devices even when code capable of closing that hole was released 12 full MONTHS before the new model ever landed on the market in the first place and the patch was never included when it readily could have been on day one.

Can you provide evidence? I will read it and reconsider my stance. But so far nobody has been able to do that.

I like this discussion and wanted to add another point that seems to have gotten no attention from the participants. (Edit: as I was finishing my typing, @thebonafortuna beat me to my post.)

In this ecosystem, the carriers are in a unique position of actually facing the end-users (they make it impossible for the OEM's from delivering patches because of the network certification practices). Therefore, it seems to me that they are the only ones who have an obligation to make sure that they are selling secure devices. Moreover, if it is discovered that a new vulnerability has been identified, they should be the first ones to take public steps to address the issue (make announcements to warn customers; stop selling the device in extreme cases).

So, it seems to me that at least this part of the accusation is reasonable: carriers don't disclose vulnerabilities to customers and they don't make sufficient efforts to make patches available. If there are as many cases of deliberate heal-dragging, as someone had suggested, that is even worse.

I'm glad you posted this as it saved me. Completely agree. The point is that carriers have the relationship and contract with customers and as such should be diligent in ensuring the devices they sell are safe for customers to use. If this means they need to chase manufacturers to get security updates out then they should.

Your rant was spot on up to this point, but then went off the rails. Android is designed to be secure, very secure. Most of the rest of your rant stems from the fact that it's security revolves around the person who uses it. If that isn't the person who owns it, well that's an issue for the owner, like you say. But it doesn't mean Android is insecure.

As for Android "wasn't designed to be touch OS" - well neither was BSD, which is what iOS and OSx are based on. But nevertheless it does just fine as the basis for a touch OS, and Android has evolved to be a good touch OS too. The fact that it wasn't originally tells you nothing about what it is now.

THIS. A thousand times this. Last company I consulted for had to recall over 700 Android handsets because of audit compliance and the inability of Android to meet that compliance, let alone be directly and centrally managed without 3rd party servers and massive expense. This was a major compnay that ran primarily on linux and open source software with little to no major brand deployments and only a few MS servers out of several hundred, and a seething internal hatred for Apple. They has spent a ton moving off Blackberry to go to android on the promise from several vendors and Google that Android would meet FIPS and SOx compliance. Turns out, nope, only a single, customized, model met that certification 2 years later.

What did they do? They deployed Apple. A single Mac Mini, a few edits to their Exchange server config (one of the few MS servers they bothered to have, because frankly, nothing in Linux does mail and contacts even close to what Exchange does), and bam, automated profile deployment and central security for iOS with no 3rd party tools or per-phone fees required.

I'm confused. Are you saying they replaced Blackberry with Mac Mini, because I thought one is an operating system for a mobile device and the other's a personal computer. In that case, if they wanted to stick with open source, why not replace it with RHEL or some other Linux distro besides Android?

Or are you saying they deployed iPhones? In that case, I don't believe iPhones are FIPS compliant (source: http://csrc.nist.gov/groups/STM/cmvp/do ... 01vend.htm). It's a long list, but the only FIPS compliant items listed for Apple are software modules for Mac OS, not iOS. I haven't done a thorough search for Android related devices in that list, but I did find one software module by Samsung. Is that the one you were talking about?

zelannii wrote:

Android is just too big, too poorly planned out, and too difficult to secure. It was not designed to be secure, it was designed to be a feature-phone OS, it;s current UI and app model was tacked on at the last minute, never part of the original design, even touch itself was never part of the design. Having multi-point validations through manufacturers and carriers, and no standard model for package deployment or dependency management, and no modularization of code at all, in order to roll out patches leading to 6-12 month release cycles, inability to secure removable storage, requirements for 3rd party apps for mail security and remote management, and no central leadership or standards from google leading many devives to not even be fully compatible withj corporate mail (many can't do calendar integration, some could not access the corporate directory, it was a mess), the open source leader lost, bad. For android to hold on in business and government, it needs a top down, compatibility breaking redesign. If this case moves forward, and it very well might if the FTC can find any cause that carriers are explicitly hiding this information or delaying/not patching purely based on profitabiltiy not security and user protection, then they'll drop a hammer on carriers hard. If that happens, you'll see the fastest exedous in technological history as carriers themselves abandon android faster than users to protect themselves, and android will die in the US overnight, if the EU doesn't take a queue and act faster (and likely they will too).

I have not worked with Android code, but since Android is based on a (relatively) modern Linux kernel and Android has contributed back to the Linux kernel, so I find it very hard to believe that its code is not modular. As for the multi-point validations, a legitimate theory is that those are for the component drivers by the hardware manufacturers and their partners (e.g. Samsung, HTC, Sony, Marvell, Broadcom, Nvidia, etc.) as well as the software skins. Additionally, there is validation required with a country's regulatory body (e.g. FCC) regarding spectrum usage and transmit power. Furthermore, the carrier (e.g. Verizon, Sprint, etc.) may need to add binaries that allow the phone usage of certain services.

Unfortunately, I have completely zero experience with Android with regards to corporate integration, so I can't answer the rest of your complaints. I will say that a lot of companies use Microsoft for their backbone where only a Microsoft (not Apple, not Linux) solution can fully integrate and access. In that frame of mind, I'm sure Android would work if the company chose to use Google business services.